CVE-2023-5455

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-5455
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-5455.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-5455
Related
Published
2024-01-10T13:15:48Z
Modified
2024-10-12T11:13:49.241290Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.

References

Affected packages

Debian:12 / freeipa

Package

Name
freeipa
Purl
pkg:deb/debian/freeipa?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.9.11-1
4.9.11-1+exp1
4.9.11-2
4.10.1-1+exp1
4.10.1+dfsg1-1+exp1
4.10.2-1
4.10.2-2
4.10.2-2+exp1
4.11.1-1
4.11.1-1+exp1
4.11.1-2
4.11.1-2+exp1
4.11.1-2.1

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/freeipa/freeipa

Affected ranges

Type
GIT
Repo
https://github.com/freeipa/freeipa
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

Other

alpha-1-9-0
alpha_1-4-2-0
alpha_1-4-4-0
alpha_2-1-9-0
alpha_3-1-9-0
alpha_4-1-9-0
alpha_5-1-9-0
alpha_5-1-9-0-1
beta_1-2-0-0
beta_1-3-0-0
beta_1-3-2-0
beta_1-3-3-0
beta_2-3-0-0
beta_2-3-3-0
milestone_2
milestone_3
milestone_4
milestone_4_1
milestone_6
rc_1-2-0-0
rc_2-2-0-0
rc_3-2-0-0
release-1-0-0
release-1-1-0
release-2-0-0
release-2-1-0
release-3-1-0
release-3-2-0
release-3-2-0-pre1
release-3-3-0
release-4-0-0
release-4-2-0
release-4-4-0
release-4-4-1
release-4-6-0
release-4-6-1
release-4-6-2
release-4-6-3
release-4-6-4
release-4-6-5
release-4-6-6
release-4-6-8
release-4-6-9